WordPress 4.9.7, released in 2018, is still running on approximately 168 websites worldwide. However, this older version contains 9 known security vulnerabilities, including 4 high-severity CVEs that pose significant risks to your website's safety. These vulnerabilities range from PHP object injection to cross-site scripting attacks that could compromise your data and user information.
If you're still running WordPress 4.9.7, you're operating with outdated security protections. Cybercriminals actively exploit known vulnerabilities in older WordPress versions, and staying on 4.9.7 leaves your website exposed to attacks. This guide explains the specific threats affecting your version and provides actionable steps to protect your site.
Understanding these vulnerabilities is crucial for any website owner concerned about data security. We'll walk you through identifying if you're affected, understanding the risks, and implementing comprehensive security measures to safeguard your WordPress installation.
WordPress 4.9.7 is a release from June 2018 that introduced improvements to the WordPress content management system. At that time, it was considered secure and modern. However, WordPress development has continued with regular security updates, and versions from 2018 no longer receive active security patches. Think of WordPress 4.9.7 like an older car model—it worked great when new, but safety standards have evolved, and it lacks modern protective features.
Today, running WordPress 4.9.7 is like driving a vehicle without airbags compared to modern cars with advanced safety systems. The platform itself may still function, but the security vulnerabilities that have been discovered since 2018 remain unpatched. Hackers know exactly what weaknesses exist in this version and can exploit them to gain unauthorized access, steal data, or inject malicious code into your website.
9 CVEs found. The most critical are explained below.
The Brooklyn theme doesn't properly validate data it receives, which could allow attackers to inject malicious code. This is a technical flaw in how the theme handles information from users or external sources.
Impact: An attacker could take control of your website, steal sensitive data, or inject malware that affects your visitors.
↗ View on NVDWordPress doesn't properly check if uploaded plugins are real plugin files, allowing attackers to upload dangerous PHP files instead. These files can hide in your uploads folder and be executed later.
Impact: Hackers could upload malicious code that runs on your server, giving them control over your website and potentially your visitor data.
↗ View on NVDThe WP All Import Pro plugin doesn't safely process imported files, allowing attackers with admin access to inject malicious code. This flaw is in how the plugin reads and processes data from import files.
Impact: An admin account compromised or exploited could lead to website takeover, data theft, or malware distribution to your visitors.
↗ View on NVDThe Brooklyn theme doesn't properly clean user input before displaying it on pages, allowing attackers to inject malicious scripts. These scripts run in visitors' browsers when they view affected pages.
Impact: Attackers could steal visitor data, session information, or redirect users to malicious sites without your knowledge.
↗ View on NVDThe Import any XML or CSV plugin doesn't properly validate SVG files before allowing upload, which can contain hidden malicious code. Attackers can hide scripts inside image files.
Impact: Malicious code could be stored on your server and execute when the SVG files are accessed, potentially compromising your website.
↗ View on NVDThe Popup Box plugin doesn't verify user permissions before allowing changes to its settings. This means unauthorized users could modify your plugin configuration.
Impact: Unauthenticated attackers could disable the plugin, alter popup behavior, or use it as an entry point to attack your website.
↗ View on NVDShowing first 10 of 3. View all on NVD ↗
| CVE ID | Severity | Score | Published | Description |
|---|---|---|---|---|
| CVE-2024-8488 | MEDIUM | 4.4 | 2024-10-08 | The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Survey fields in all versions up to, and including, 4.9.7 due to insufficient input sanitiza… |
| CVE-2024-9661 | MEDIUM | 4.3 | 2025-02-07 | The WP All Import Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.7. This is due to missing nonce validation on the … |
| CVE-2026-5075 | MEDIUM | 4.3 | 2026-05-20 | The All in One SEO plugin for WordPress is vulnerable to Sensitive Information Exposure via 'internalOptions' localized script data in versions up to, and including, 4.9.7 due to … |
Plain English · Fix recommendations · Instant PDF & HTML download
Scan your site in 30 seconds. Used by 500+ web agencies.
WordPress 4.9.7 is no longer safe for production websites. With 9 known vulnerabilities—including 4 high-severity issues—your site faces real risks from hackers, data breaches, and malware infections. The good news is that updating to a modern WordPress version is straightforward and dramatically improves your security posture. Don't wait for a security incident to force action; proactively protect your website today.
SiteRecipe.com's security scanning tool provides comprehensive vulnerability detection and remediation guidance tailored to your WordPress installation. Get a free security assessment now to identify all vulnerabilities affecting your site and receive step-by-step guidance to eliminate them. Protect your website, your users' data, and your business reputation by taking action today.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.